As cloud environments grow, the greatest threat to security is often “Configuration Drift”—untracked, manual changes made directly in the cloud console that bypass security protocols. This workshop provides a hands-on deep dive into the DevSecOps methodology for maintaining infrastructure integrity using Terraform. Moving beyond basic provisioning, participants will explore how to use Terraform as a governance engine. We will cover the creation of “Secure-by-Default” modules that utilize built-in validation to block insecure configurations—such as open SSH ports—before they are ever deployed. The core of the session focuses on the “Drift-and-Recovery” cycle: students will intentionally simulate “rogue” manual changes in the cloud console and learn how to use Terraform’s state management to detect, alert, and automatically revert infrastructure back to a compliant state. By the end of this workshop, students will understand how Infrastructure as Code acts as the ultimate “Source of Truth,” ensuring that company security policies are not just documented, but programmatically enforced.